top of page

Data Processing Addendum

 

This Data Processing Addendum (“Addendum”) is entered into on by and between Saywhatt Online Ltd. or authorized distributors and sales representatives operating on its behalf (“Saywhatt”) and the client who is a party to the services agreement with Saywhatt for the provision of the Saywhatt service (“Client”).

WHEREAS, Saywhatt is involved in processing certain personal data or personal information on behalf of Client (“Client Data”) as part of its Saywhatt service (“Services”) it provides, pursuant to an Agreement between Client and the relevant party acting on behalf of Saywhatt (“Agreement”), and the parties wish to regulate Saywhatt’s processing of such personal data, through this Addendum.

THEREFORE, the parties have agreed to this Addendum, consisting of these parts:

Part

Part One – General provisions

Part Two – EU/EEA or UK GDPR DPA

Part Three – State Privacy Laws in the U.S.

Part Four – Israeli Privacy Protection Regulations (Information Security)

Is applicable and in force?

Always applies and in force

Only if the Client subject to the UK or EU/EEA GDPR regarding the personal data that Saywhatt processes for it

Only if the Client subject to state privacy laws in the U.S. regarding the personal data that Saywhatt processes for it.

Only if the Client subject to Israeli law regarding the personal data that Saywhatt processes for it

Part 1 (General Provisions)

1. Scope. This Addendum and any of its Parts apply only where Saywhatt is processing Client Data on behalf of the Client and under the Client’s instruction. It does not apply to Saywhatt’s processing data to operate the Services, to market or promote its products, or to administer the business or contractual relationship between Saywhatt and the Client.

2. Order of Precedence. In the event of any conflicting provisions between this Addendum and the Agreement or any other agreement in place between the parties, the provisions of this Addendum prevail. 

3. Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Saywhatt’s processing of Client Data, Saywhatt will implement and maintain reasonable security procedures and practices appropriate to the nature of the Client Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

4. Data Subject Requests. Saywhatt will follow Client’s instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Client Data, including accessing their data, correcting it, restricting its processing or deleting it. Saywhatt will pass on to Client requests that it receives (if any) from data subjects regarding their information processors by Saywhatt. Saywhatt shall notify Client of the receipt of such request without undue delay, together with the relevant details. 

5. Return or deletion of information. Upon Client’s written request where no subsequent further processing is required, Saywhatt shall, at the instruction of Client, either delete, destroy or return to Client, some or all (however instructed) of the personal information that it and its third party suppliers process for Client. Upon Client’s request, Saywhatt will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section.

6. Disclosure. Unless legally prohibited, Saywhatt will provide Client prompt notice of any request it receives from authorities to produce or disclose Client Data it has Processed on Client’s behalf, so that Client (or its customer) may contest or attempt to limit the scope of production or disclosure request.

7. Data Breaches. Saywhatt shall without undue delay notify Client of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data, that it becomes aware of. Saywhatt will investigate the breach, and take all available measures to mitigate the breach and prevent its reoccurrence. Saywhatt will cooperate in good-faith with Client on issuing any statements or notices regarding such breaches, to authorities and data subjects.

8. Subcontracting to suppliers. Client authorizes Saywhatt to subcontract any of its Service-related activities consisting of the processing of the Client Data or requiring Client Data to be processed by any third party supplier without the prior written authorization of Client provided that: (a) Saywhatt shall ensure that the third party is bound by similar obligations under this Part 1; and (b) Saywhatt is liable to Client for the performance of any such third party that fails to fulfil its obligations.

9. Confidentiality. Saywhatt will ensure that its staff authorized to process the Client Data are contractually bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

10. Disputes. Any dispute that the parties are unable to amicably resolve under this Addendum, shall be subject to the sole and exclusive jurisdiction and venue specified in the Agreement.

11. Liability. Each party’s total and aggregate liability to the other party under this Addendum for any direct or indirect damages asserted in connection with this Addendum, whether in tort (including negligence), contract, indemnity, strict liability, or otherwise, is capped as specified in the Agreement.

Part 2 (GDPR DPA) 

1. Capitalized terms used in this Part 2 but not defined herein or in the Agreement shall have the meaning ascribed to them in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, and the UK Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 2 as “Data Protection Law”.

2. Client commissions, authorizes and requests that Saywhatt Process the Client Data under the instructions of Client. Saywhatt will Process the Personal Data only on Client’s behalf (it being understood that Client may be acting as a processor for and on behalf of its client, the Controller). Saywhatt and Client are each responsible for complying with the Data Protection Law as applicable to their roles.

3. Saywhatt will Process the Personal Data only on instructions from Client documented in this Addendum or otherwise provided in writing, which instructions must be consistent with the nature and characteristics of the Services. The foregoing applies unless Saywhatt is otherwise required by law to which it is subject (and in such a case, Saywhatt shall inform Client of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Saywhatt shall immediately inform Client if, in Saywhatt's opinion, an instruction is in violation of Data Protection Law.

4. The nature and purposes of the Processing activities are the provision of the Services to the Client. The Personal Data Processed may include: prompts, links, text, recordings and other media provided to Saywhatt and the Service, and -mail, title, and any other data shared by the Client in regards to its employees. It may also include credit card details of the Client and its employees who make payments for the Service.

5. The Data Subjects, as defined in the Data Protection Law, about whom Personal Data is Processed are determined by the Client and include employees of the Client and consumers who would like to access or use the Service and make purchases in the Client’s online store, in which the Service is set to be implemented, accessible or provided.

6. Saywhatt will make available to Client and the Data Controller all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law.

7. Saywhatt will make available to Client all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Client upon request.

8. Saywhatt will follow Client’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it, within the boundaries of the Service’s capabilities and features. Saywhatt will pass on to Client requests that it receives from Data Subjects regarding their Personal Data Processed by Saywhatt. Any request from Data Subjects arising out of the processing of Personal Data by Saywhatt, including but not limited to rectification, erasure, and blocking of Personal Data, portability requests and objection, has to be asserted to Client. Client is solely liable for responding to Data Subjects on such requests. 

9. Client authorizes Saywhatt to engage another sub-processor for carrying out specific processing activities, provided that Saywhatt informs Client at least 10 business days in advance of any new or substitute sub-processor, in which case Client shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Client so objects, Saywhatt may not engage that new or substitute sub-processor for the purpose of Processing Personal Data, and Saywhatt may either select another sub-processor in which case the above procedure shall repeat, or if it so chooses, terminate the Agreement with no liability to Client for such premature termination. At the outset, Client authorizes Saywhatt to engage with Alphabet Inc and OpenAI Inc. 

10. Without limiting the foregoing, in any event where Saywhatt engages another sub-processor, Saywhatt will ensure that the same data protection obligations as set out in this Addendum are likewise imposed on that other sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where the other sub-processor fails to fulfil its data protection obligations, Saywhatt shall remain fully liable to Client for the performance of that other sub-processor’s obligations.

11. Saywhatt and its other sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission (or as applicable, the UK GDPR regulations), as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Standard Contract Clauses). 

12. Subject to prior coordination between the Client and Saywhatt as to the timing and agenda of the audit, following Client’s written request, Saywhatt shall allow for and contribute to audits, including carrying out inspections conducted by Client, the Controller, or another auditor mandated by Client or the Controller in order to establish Saywhatt's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Saywhatt processes on behalf of Client. Such audits or inspections shall be carried out during Saywhatt’s ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandate more frequent audits or inspections), shall be conducted with minimal disruption to Saywhatt’s business activities, and be subject to confidentiality undertakings satisfactory to Saywhatt.

13. Saywhatt will assist, within a reasonable scope of assistance, Client and the Controller with the preparation of data privacy impact assessments and prior consultation as appropriate (and if needed).

Part 3 (State Privacy Laws in the U.S.)

1. Definitions

a. “Applicable State Privacy Laws” means the CPRA and in other applicable state privacy laws in the United States, such as (but not limited to): Virginia Consumer Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act.

b. “Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Covered Information, during its Processing by Saywhatt.

c. “Consumer” means a natural person, including a natural person in their professional or work capacity.

d. “CPRA” means Cal. Civ. Code §1798.100 et seq. and the regulations at 11 C.C.R. §7000 et seq.

e. “Covered Information” means information that Saywhatt's servicestores, handles, or otherwise maintains for and on behalf of Client.

f. “Process” (and its cognate terms) means any operation or set of operations that are performed on Covered Information or on sets of Covered Information, whether or not by automated means.

g. “Sell” (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Covered Information for monetary or other valuable consideration.

 

h. "Share” (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Covered Information  for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising  in which no money is exchanged.

2. Saywhatt may only Process the Covered Information to perform the Agreement. The parties agree that the Client is only disclosing the Covered Information to Saywhatt so that Saywhatt can provide the Services to the Client. Saywhatt is prohibited from retaining, using, or disclosing the Covered Information for any commercial purpose other than the foregoing business purposes. Additionally, Saywhatt is prohibited from retaining, using, or disclosing the Covered Information pursuant to this Agreement outside the direct business relationship between Saywhatt and Client.

 

3. Saywhatt must not Sell or Share any Covered Information it Processes.

 

4. Saywhatt shall comply with all applicable sections of the Applicable State Privacy Laws and shall provide, with respect to Covered Information, the same level of privacy protection as required by Applicable State Privacy Laws. 

 

5. Commensurate with the nature of Saywhatt’s services to Client and in accordance with Client’s specified instructions to Saywhatt, Saywhatt shall help Client to comply with Consumer requests made pursuant to Applicable State Privacy Laws of which Saywhatt is informed of by Client.

6. Saywhatt grants Client the right to take reasonable and appropriate steps to ensure that Saywhatt uses the Covered Information in a manner consistent with Client’s obligations under this Addendum and Applicable State Privacy Laws. Saywhatt grants Client the right, upon notice, to take reasonable and appropriate steps to stop and remediate Saywhatt’s unauthorized use of Covered Information.

 

7. Saywhatt must promptly notify Client when it makes a determination that it can no longer meet its obligations under this Addendum or Applicable State Privacy Laws.

Part 4 (Israeli law)

1. Definitions. In this Part, the following terms shall be interpreted as follows: 

1.1 "Applicable Laws” means Israeli Privacy Protection Law, 5741-1981 (hereinafter – the “Privacy Law”) and the regulations promulgated thereunder (and in particular the Privacy Protection Regulations (Information Security), 5777 - 2017), as well as any legislative or administrative provision or directive that will apply to the Processor in connection with the provision of the services under the Agreement.

 

1.2 "Controller” means the Client.

1.3 "Database" means a collection of personal data held by physical, magnetic or optical means.

1.4 “Personal Data” means information, data and data sets that relates to an individual, and which identifies such individual, or which may be reasonably used in order to identify such individual, regardless of the medium in which such data is being presented, and which the Processor Processes for and on behalf of the Controller within the scope of the Services.

1.5 "Personal Data Breach” means an of actual or reasonably suspected incident: (a) of unauthorized access to or use of Personal Data, or such access or use exceeding authorization, or (b) impacting the integrity of the Personal Data in a manner that is not authorized or exceeds authorization.

 

1.6 "Processing" (and its derivatives, including, but not limited to "Process") means the collection, access, retention, modification, use, disclosure and transfer of Personal Data.

 

1.7 “Processor” means Saywhatt.

 

2. Processor’s obligations regarding the Processing of Personal Data

2.1 The Processor shall process the Personal Data for Client solely to provide the Services under the Agreement, and only in the manner determined in the Agreement and in this Part 4, and for no other purpose, unless expressly instructed by Client to do so.

2.2 Processor undertakes to manage access rights to Personal Data, including by way of providing its users with ‘Least Privileges’ based on their ‘Need to Know’, for the purpose of carrying out their tasks, and shall take measures in order prevent access by unauthorized individuals to Personal Data. In addition, Processor will maintain an up-to-date listing of all individuals authorized to access or use the Database and will use measures designed to prevent access to any individual who does not have a need to be exposed to the Personal Data. 

2.3 Processor shall not grant access to the Personal Data to its employees, consultants or anyone else acting on its behalf, before reviewing and confirming, within the boundaries of applicable law, that their background, integrity, and reliability are suitable for a position granting them access to Personal Data.

2.4 Processor shall grant its employees access to the Database, subject to conducting training activities regarding privacy protection and information security obligations applicable to the Processor by virtue of the Applicable Laws and this Part 4. 

2.5 Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, as set forth in this Part 4.

2.6 Processor shall develop, implement, and enforce an information security policy that covers at least the following topics (“Information Security Policy”):

​​

2.6.1 Guidelines regarding the physical protection of the Database systems and the sites in which they are located; 

2.6.2 Guidelines regarding the management and monitoring of access authorizations and actions taken in the Database;

2.6.3 Mapping of all the of the security measures taken by Processor regarding the Database;

2.6.4 Guidelines for individuals authorized to access Personal Data and Database;

2.6.5 A review of the risks to which the Personal Data is exposed to as part of Processor’s ongoing activities including instructions regarding the means of recording, monitoring, and identifying threats to which the Database systems are exposed;

 

2.6.6. Instructions and procedures regarding the mitigation and management of a Personal Data Breach;

2.6.7 Instructions and procedures regarding the use of removable devices.

 

2.7 Processor shall map the operational environment of the Database. In this regard, Processor shall prepare an inventory list that includes all the systems, software, interfaces, infrastructures of hardware components and communications components that Processor operates in the Database environment for the ongoing operation of the Database (the “Database Systems”). Processor shall update the list of inventories specified in this section from time to time and shall only disclose the document to those individuals who require access to it for the performance of their job functions. However, Processor shall update the foregoing list in any case in which substantial changes to the operating environment are implemented in the Database or in the manner in which Personal Data is Processed.

 

3. Disclosure and transfer of Personal Data

3.1 Processor shall not disclose Personal Data in the scope of Processing Personal Data on behalf of Client to any entity, unless Client has provided its prior written consent, except as follows:

 

3.1.1 As strictly necessary for the provision of Services;

3.1.2 Where such disclosure is required by Applicable Law or during a legal proceedings, in which case Processor shall notify Client in writing immediately upon receipt of the request and before fulfilling the disclosure request, and will cooperate and disclose the minimum Personal Data necessary to comply with Applicable Law or legal proceedings;

3.1.3 To the extent that Client will approve Processor to use subcontractors or service provider of the Processor, or use a subcontractor or service provider to Process Personal Data (each, a "Sub-contractor"), Processor shall enter into a written, valid, and enforceable agreement with the Sub-Contractor containing adequately protective terms on data security consistent with this Part 4. Processor shall provide Client any information reasonable requested by Client about the Processor’s use of Sub-contractors, about the Sub-contractors’ Processing activities for the Processor and their data security practices. Processor shall take reasonable measures to monitor Sub-contractor’s compliance with data security obligations.

 

3.1.4 Processor shall use conventional encryption mechanisms for any transfer of Personal Data to a third party and for any remote connection to the Database Systems.

 

4. Storing, Deletion and Return of Personal Data

 

4.1 Processor undertakes to implement appropriate security measures designed to ensure the integrity of the Personal Data, its availability, confidentiality, and reliability. 

4.2 Processor shall maintain logical separation between the Database Systems and the computer systems used by Processor that are not directly related to the Processing or Personal Data for Client. In the event the Database Systems is connected to the Internet or to another public network, Processor shall install appropriate means of protection against information security incidents, such as firewalls and anti-virus tools.

4.3 Processor shall retain the Personal Data only as strictly necessary to provide the Services to Client, or as mandatory under Applicable Laws.

4.4 Processor shall regularly update the Database Systems, including the software installed in the Database Systems, with information security updates. When operating the Database Systems, Processor will not use software and/or hardware components that the manufacturer does not support in terms of their security aspects.

4.5 Processor will implement measures to prevent the connection of removable devices to the Database Systems or devices Processing Personal Data (to the extent those Database Systems or devices are located in the Processor’s premises or assigned to its employees, consultants, and anyone on its behalf). Notwithstanding the foregoing, portable devices such as laptops and smartphones Processing Personal Data may be used so long as they are encrypted with appropriate, industry-customary encryption.

4.6 In accordance with the Agreement and without prejudice to its generality, Processor shall return, delete or destroy all Personal Data to which this Part 4 applies, including but not limited to, all original and copies of that Personal Data, in any medium, including but not limited to, hard drives, backup media, and any other magnetic or optical media and all materials derived from, or including the, Personal Data within forty-five (45) days upon Client written request for return, deletion or distortion for any reason.

5. Cross-Border Data Transfers

5.1 Processor shall comply with the law applicable to the transfer of Personal Data to foreign jurisdictions, including but not limited, to the Protection of Privacy Regulations (Transfer of Information to Databases Outside of Israel), 5761-2001.

5.2 In addition, Processor shall not transfer Personal Data to a foreign jurisdiction without prior advanced notice to Client, and Client shall be entitled to object to such transfer, on reasonable grounds, within 30 days from receipt of notice. 

5.3 If no objection is provided by Client, Processor shall keep Client updated on material compliance developments in its transfers of Personal Data to foreign jurisdictions, considering the aforementioned regulations.

 

6.1 Breach of information security 

6.1 Processor will notify Client without undue delay and no later than twenty-four (24) hours after becoming aware of a Personal Data Breach, and provide Client with sufficient information to allow Client to meet any obligations to report or inform affected individuals or a supervisory authority of the Personal Data Breach. 

Such notice shall include, at the time of initial notification or without undue delay after the initial notification, details of the nature of the Personal Data Breach, number of records affected, the category and approximate number of affected individuals, anticipated consequences of the Personal Data Breach and any actual or proposed remedies for mitigating the possible adverse effects of the Personal Data Breach.

6.2 In any case of a Personal Data Breach affecting Client Personal Data, Processor also:

6.2.1 Will cooperate with Client and/or anyone on its behalf to investigate the Personal Data Breach as aforesaid and will not release any public statement relating to that Personal Data Breach, except as required by law;

6.2.2 Will take all necessary and appropriate corrective measures to repair the Personal Data Breach.

6.3 In the event of a Personal Data Breach, the parties will discuss the matter and reach an agreement regarding the measures required to repair the Personal Data Breach and the schedule for their implementation.

7. Audit & Documentation

7.1 Processor shall provide Client, at least in every 12 month or upon its request, a written approval according to which it performs and fulfills its obligations pursuant to this Part 4 and the provisions of the Applicable Law.

7.2 Processor shall fully cooperate with Client in providing all information and assistance reasonably requested by Client in connection with data security issues and practices and supplementary documents, so as to allow Client to properly address information security, privacy and regulatory matters relating to the Database.

 

7.3 Processor undertakes to allow the representatives of Client and/or any person or entity acting on Client’s behalf to carry out, through advance notice, surveys and audits regarding the performance of Processor’s obligations under this Part 4. It is hereby clarified that as a pre-condition for the performance of such surveys and audits, surveyor and auditor on behalf of Client shall be required to sign an undertaking in order to maintain confidentiality of Processor’s data to which such surveyor or auditors will be exposed to in the course of the survey or audit.

 

8. Term & Termination

All the clauses in this Part 4 that are bound by and required under, the Applicable Law will continue to apply even after the expiration or termination of the Agreement between the parties, provided that Processor continues to retain Client Personal Data.

 

9. Governing Law and Interpretation 

To the extent that there is no contradiction to the foregoing, the relevant clauses of the Agreement shall apply to this Part 4. In the event of a conflict between the provisions of this Part 4 and the provisions of the Agreement, the terms of this Part 4 shall prevail.

bottom of page